Saturday, June 06, 2009

Last week one of the students in the UAB Computer Forensics program came to see me about a virus problem he'd been working on for a classmate. Her computer was infected with many malware programs, and my student, who works for me as a Malware Analyst, decided to take a look.

He came by to tell me about the situation, which involved a Facebook group that his classmate had joined. It was a group dedicated to organizing political action around a particular cause, with more than 40,000 members. At the top of their site it says "If you're looking for more information ..., visit our website" and gives the link.

Unfortunately, when any of the 40,000 members visited the link, they got a little extra surprise. The organizers didn't strike us as the type to be involved in infecting their membership to steal passwords, so we decided to make contact. They called back, and after checking my team out with some law enforcement references to verify that we are nice guys who are good at looking at viruses, they sent us everything they knew about their situation.

Their xfer logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster's correct userid and password. It wasn't a poorly chosen password, and it wasn't brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster's FTP password was known to the criminals.

The biggest hint was the names of the two IFRAMEs which were located on the site:

Their original content was still in place, but someone had saved the code, added IFRAMEs pointing to the above URLs, and then logged in as the webmaster to upload the modified pages.

The two domains both resolve to the IP address, 67.228.194.237, which is SoftLayer Technologies in Dallas, Texas. We decided to look at what other domains were on the same IP address, and found 59 others.

Now, we know that just because two domains resolve to the same IP address does not mean they are related, so we compared the WHOIS information for some of the domains to each other.

Many of the domains were registered to Raymond Keaton or Scott Bell above, or also to Michelle Rea rea@cybernauttech.com.

Many of the domains were EXTREMELY POPULAR as well. For instance, "superbetfair.cn" had more than 50,000 visitors last month. (By comparison, this blog only gets around 10,000 visitors per month.)

But are all the domains malicious? To answer that question, we asked Google's SafeBrowsing project to assess whether the domains were known to be associated with malware, and if so, how many domains seemed to have been infected by the malware.

Here's the results we got. You can click on the number in the right hand column to visit the current Google SafeBrowsing page for each domain. The numbers listed are the results as shown on Friday, June 5, 2009.

It should be noted that these domain names have been moved on several occasions (possibly as many as eleven as of this timestamp). We know that many of these domains previously resolved to: 94.247.3.150 and 77.221.154.138

Here are some searches on the site "Malware Domain List" that will be useful for tracking these domains:

It is common for malware in this group to have as the file and attributes in its IFRAME "in.cgi?income##" or "in.cgi?cocacola##", where ## is any two digit number. We believe the "income" and "cocacola" are similar to affiliate tags, and that different malware may be dropped depending on which affiliate has routed the computer to the malware drop site.

But what happens after you are sent to one of these IFRAME pages? That's what UAB Malware Analyst Brian Tanner set about to determine.

The pages that receive the IFRAME traffic currently have two exploits present on them - one which takes advantage of a known Flash Player exploit, and the other which takes advantage of a known Adobe PDF Reader exploit. By visiting the page, a poorly configured browser will attempt to play the ".swf" file with Flash Player and open the ".pdf" file with Adobe Reader. If they are using unpatched versions of either the Player or the Reader, they will become infected.

Brian tested the PDF by installing Adobe Reader 7.0 (although we have since confirmed that all of the 7.x and 8.x versions of Adobe Reader are exploitable with this trick.)

Upon opening the PDF file, Javascript code embedded within the PDF causes it to download a program called pdfupd.exe. In our test example, it did so by visiting the site giantbeaversdiet.cn:8080/landig.php?id=8

IFRAMEs which have been injected into more than 48,000 domains, probably via an FTP upload of an altered webpage. How much traffic is going to the domain which indicates a successful compromise via the PDF exploit?

Some of the domains, which we decline to name here, have seen more than 260,000 unique US IP addresses visit them during the month of April 2009, according to Quantcast and Compete.com

An interesting comment in the PDF file:

Boris like horilka

The Ukrainian word for vodka is horilka. We'd love to see more PDFs with that comment in them if you have any samples, please send them to me!

Here is an expanded list of domains connected with this malware campaign: